Introduction Introduction
Software Reference for SwitchBlade x3100 Series Switches (Access and Security)
6-32
6.4 Access Control List
6.4.1 Introduction
Access Control Lists (ACLs) provide traffic filtering functionality. They are shortcuts for creating classifiers.
Unlike classifiers, ACLs are a more easily understood syntax and a more common method for applying filters.
Note: The CLASSIFIER commands support additional match fields and actions. Refer to Section 6.3.
ACLs give the user the ability to define traffic types by protocol (in English words) without the need to know
the exact IP/TCP/UDP characteristics of the protocol specified.
An ACL is composed of a set of rules, each rule specifies a traffic stream to be permitted (PERMIT) or denied
(DENY) to transit the switch port. By default, the system adds a DENY rule as the last one in the set of rules.
(This default can be changed to PERMIT.)
6.4.2 Provisioning Overview
Provisioning allows one access list per port or interface. It can be applied to the ingress traffic on the specified
interface.
In addition to the line card physical interfaces, the user can apply an access list to control traffic associated with
the management interface (MGMT and inband) destined to the CFC’s CPU. The management interface refers
to either the physical Ethernet port on the control module faceplate (MGMT) or the virtual management port
accessed through in-band traffic paths.
Following are the general provisioning rules:
• An access list can be created and provisioned by the user as a standalone configuration.
• The access list is managed by name.
• Rules may be added, modified or deleted at any time. The order of rules in an access list convey an evalua-
tion priority. Earlier rules (those that have lower Rule numbers) that may overlap with rules that occur later
in the list (that have higher numbers) will be given priority if the actions on the two rules conflict.
• The user can apply the access list to an interface or a set of interfaces. The system will reject a user’s
request if an attribute of the access list is not compatible with interface’s capabilities.
The following lists the packet attributes and protocols that can be provisioned in an ACL. These attributes may
be combined to form an expression to compare against the attributes of a packet as it enters an interface.
• Ethernet MAC source and/or destination address.
• Layer 2 protocol type field.
• IP source and/or destination address with a subnet mask.
• IP protocol type field.
• UDP source and/or destination port numbers.
To Next Page
Loading...
Need help?
General
